> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Add authentication to your ngrok endpoints to control who can access your locally shared applications.

ngrok makes it easy to add authentication to any endpoint without modifying your application code.
Using [Traffic Policy](/traffic-policy/), you can require visitors to authenticate before they can access your local app.

## Add OAuth with Traffic Policy

The quickest way to protect your endpoint is with the [OAuth Traffic Policy action](/traffic-policy/actions/oauth/).
Add the following to your Traffic Policy configuration to require Google authentication:

### Using a Managed Provider

The following [Traffic Policy](/traffic-policy/)
configuration will provide your app with a google authentication step.

<CodeGroup>
  ```yaml policy.yml theme={null}
  on_http_request:
    - actions:
        - type: oauth
          config:
            provider: google
    - expressions:
        - "!actions.ngrok.oauth.identity.email.endsWith('@acme.com')"
      actions:
        - type: deny
  ```

  ```json policy.json theme={null}
  {
    "on_http_request": [
      {
        "actions": [
          {
            "type": "oauth",
            "config": {
              "provider": "google"
            }
          }
        ]
      },
      {
        "expressions": [
          "!actions.ngrok.oauth.identity.email.endsWith('@acme.com')"
        ],
        "actions": [
          {
            "type": "deny"
          }
        ]
      }
    ]
  }
  ```
</CodeGroup>

The `provider` value can be replaced with any of the [Supported Providers](/traffic-policy/actions/oauth/#supported-providers) that have an
a managed app available.

<Note>
  This example uses a managed Google OAuth application owned by ngrok.
  This is useful for testing and development, but you should use your own OAuth application when moving to production.
  See the [OAuth action documentation](/traffic-policy/actions/oauth/#managed-applications) for details.
</Note>

## Supported authentication methods

| Method                                            | Description                                                      |
| ------------------------------------------------- | ---------------------------------------------------------------- |
| [OAuth](/traffic-policy/actions/oauth/)           | Require login via Google, GitHub, Microsoft, and other providers |
| [OpenID Connect](/traffic-policy/actions/oidc/)   | Integrate with any OIDC-compliant identity provider              |
| [SAML](/traffic-policy/actions/saml/)             | Use SAML-based SSO for enterprise authentication                 |
| [Basic Auth](/traffic-policy/actions/basic-auth/) | Require a username and password                                  |

## Restrict access to specific users

You can restrict access to specific email addresses by defining your Traffic Policy in your ngrok configuration file:

```yaml title="ngrok.yml" theme={null}
on_http_request:
  - actions:
      - type: oauth
        config:
          provider: google
  - expressions:
      - "actions.ngrok.oauth.identity.email == 'teammate@acme.com'"
    actions:
      - type: deny
```

This is ideal for sharing your app with a specific teammate while keeping it private from everyone else.

## Next steps

* [OAuth action reference](/traffic-policy/actions/oauth/): full configuration options for OAuth
* [Network security](/guides/share-localhost/security): combine auth with IP restrictions and other controls
* [Traffic Policy](/traffic-policy/): explore all available Traffic Policy actions
